Private forums not private

I just noticed something that annoys me. I was logged in with a test account (non-admin, just forum participant) and the last screen that I had open when I logged out, was another participant’s profile page. Instead of the expected ‘you are not allowed’ page, I could still see the profile page and when I clicked on the ‘replies created’ link, I could also still see this user’s posts, all of which are posted in private fora! When I click on a subject from that archive page, I do get a 404, but I could read all this user’s posts from his profile.

A bit worried I checked if Google can also find these profile pages and indeed…

Is this due to a setting that I missed or could we get something like private users such as we have private fora?

Ehm, how do I download 2.3? I seem to only get it file by file.
What are the changes by the way? Private profile pages or do these remain public, but is the posts archive related to public or private fora?